From 730212a2ac6d5c920b605763c7b62a7730f5f3f3 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Fri, 14 May 2021 09:39:26 +0200 Subject: Cherry-Pick "Fix condition to generate session keys" Closes: #988478 --- .../Fix-condition-to-generate-session-keys.patch | 85 ++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 86 insertions(+) create mode 100644 debian/patches/Fix-condition-to-generate-session-keys.patch diff --git a/debian/patches/Fix-condition-to-generate-session-keys.patch b/debian/patches/Fix-condition-to-generate-session-keys.patch new file mode 100644 index 0000000..52fa248 --- /dev/null +++ b/debian/patches/Fix-condition-to-generate-session-keys.patch @@ -0,0 +1,85 @@ +From 227fbc117d58a87465804f7b2a5cd95ef1b94da6 Mon Sep 17 00:00:00 2001 +From: Arne Schwabe +Date: Sun, 28 Mar 2021 14:02:41 +0200 +Subject: [PATCH] Fix condition to generate session keys + +When OpenVPN sees a new (SSL) connection via HARD_RESET or SOFT_RESET with +the same port/ip as an existing session, it will give it the slot of the +renegotiation session (TM_UNTRUSTED). And when the authentication +succeeds it will replace the current session. In the case of a SOFT_RESET +this a renegotiation and we will generated data channel keys at the of +key_method_2_write function as key-id > 0. + +For a HARD RESET the key-id is 0. Since we already have gone through +connect stages and set context_auth to CAS_SUCCEEDED, we don't +call all the connect stages again, and therefore also never call +multi_client_generate_tls_keys for this session. + +This commit changes postponing the key generation to be done only if +the multi_connect has not yet been finished. + +Patch V2: Explain better in the commit message why this change is done. + +This is "sort of" a backport of commit a005044be9ca, except that the +master commit only got 1 of 3 hunks from the mailing list patch merged +while release/2.5 needs all 3. So this is exactly the patch as it was +sent to the list, URL below. + +Trac: #1316 + +Signed-off-by: Arne Schwabe +Acked-by: Antonio Quartulli +Acked-by: Gert Doering +Message-Id: <20210328120241.27605-2-arne@rfc2549.org> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21873.html +Signed-off-by: Gert Doering +--- + src/openvpn/ssl.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c +index d7494c2b3e..8359748b9b 100644 +--- a/src/openvpn/ssl.c ++++ b/src/openvpn/ssl.c +@@ -2295,7 +2295,8 @@ push_peer_info(struct buffer *buf, struct tls_session *session) + * to the TLS control channel (cleartext). + */ + static bool +-key_method_2_write(struct buffer *buf, struct tls_session *session) ++key_method_2_write(struct buffer *buf, struct tls_multi *multi, ++ struct tls_session *session) + { + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + +@@ -2386,12 +2387,17 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) + goto error; + } + +- /* Generate tunnel keys if we're a TLS server. +- * If we're a p2mp server and IV_NCP >= 2 is negotiated, the first key +- * generation is postponed until after the pull/push, so we can process pushed +- * cipher directives. ++ /* ++ * Generate tunnel keys if we're a TLS server. ++ * ++ * If we're a p2mp server to allow NCP, the first key ++ * generation is postponed until after the connect script finished and the ++ * NCP options can be processed. Since that always happens at after connect ++ * script options are available the CAS_SUCCEEDED status is identical to ++ * NCP options are processed and we have no extra state for NCP finished. + */ +- if (session->opt->server && !(session->opt->mode == MODE_SERVER && ks->key_id <= 0)) ++ if (session->opt->server && (session->opt->mode != MODE_SERVER ++ || multi->multi_state == CAS_SUCCEEDED)) + { + if (ks->authenticated > KS_AUTH_FALSE) + { +@@ -2847,7 +2853,7 @@ tls_process(struct tls_multi *multi, + if (!buf->len && ((ks->state == S_START && !session->opt->server) + || (ks->state == S_GOT_KEY && session->opt->server))) + { +- if (!key_method_2_write(buf, session)) ++ if (!key_method_2_write(buf, multi, session)) + { + goto error; + } diff --git a/debian/patches/series b/debian/patches/series index 692c800..6bb0685 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ CVE-2020-15078-0.patch CVE-2020-15078-1.patch CVE-2020-15078-2.patch CVE-2020-15078-3.patch +Fix-condition-to-generate-session-keys.patch -- cgit v1.2.3